External Portal - Security Best Practice

Similar Messages

• SAP and BOBJ XI 3.x Integrated Security Best Practice

  I am trying to find any information around SAP and BOBJ XI 3.x Integrated Security Best Practice.
  So far i think it is uninversally agred that you should :
  1. Utilise the Business Objects platform security model to secure applications, folders and reports.
  2. Use BEx queries as the data source for Business Objects Universes and keep the number BEx queries to a minimum
  3. Use SAP authorisations over the BEx queries to secure report data at a row level.
  Has anyone seen any formal SAP Best Practice document or have any info to add ?
  Andrew

  Hi,
  those three items are all correct. In terms of security you can find lots of material in the standard BW help.
  in terms of query design / universe:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/008d15dc-f76c-2b10-968a-fafe5a121129
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0320722-741c-2c10-afab-93b5c0fc7e96
  ingo

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• Remoting Security: Best Practice

  I am exploring Remoting and I am curious about security best practice. By default, Enable-PSRemoting will configure an HTTP listener that listens to all addresses. Initially I thought this address was the addresses of the computer making
  the demoting request, but it isn't, it's the address on the local machine that is doing the listening. My reason for thinking this was the controller machine IP was that I thought I might want to limit successful remote requests to just the one machine. From
  a security standpoint this seemed better than letting any machine initiate a remote session. I know that the remote session is limited by the permissions of the user initiating, so any real threat is only because I have already been breached anyway. But still,
  I wonder if there is a way, and value, in limiting remoting to a subset of machines?
  Or is the default here really fine from a security standpoint as well?
  Thanks!
  Gordon

  It is most secure to configure remoting and restrict it using Group Policy.  GP will let you define subnets for both ends of the conversation network wide.
  \_(ツ)_/

• Portal backup best practice!!

  Hi ,
  Can anyone let me know where can i get Portal Backup Best Practices!! We are using SAP EP7.
  Thanks,
  Raghavendra Pothula

  Hi Tim: Here's my basic approach for this -- I create either a portal dynamic page or a stored procedure that renders an HTML parameter form. You can connect to the database and render what ever sort of drop downs, check boxes, etc you desire. To tie everything together, just make sure when you create the form, the names of the fields match that of the page parameters created on the page. This way, when the form posts to the same page, it appends the values for the page parameters to the URL.
  By coding the entire form yourself, you avoid the inherent limitations of the simple parameter form. You can also use advanced JavaScript to dynamically update the drop downs based on the values selected or can cause the form to be submitted and update the other drop downs from the database if desired.
  Unfortunately, it is beyond the scope of this forum to give you full technical details, but that is the approach I have used on a number of portal sites. Hope it helps!
  Rgds/Mark M.

• WDA + External Portal + Security

  Hello friends!
  @Moderator, sorry if I post it in a wrong forum, but I think the wda experts should have already faced this issue.
  I've been reading all forums regarding to this subject. As you are going to see, I'm not used to work with WDA Portal integrations and I'm studying hard for it.
  Could you please just guide me what I have be aware to connect WDA from a ERP server to another server, which has installed the Portal? (portal is accessed externally/internet)
  I'm afraid about security, as the employees will access the portal by internet (it's already working fine, today they can access the portal externally and can use some Webdynpros Java) But for now, we are going to rewrite these WDJ to WDA.
  1) The portal server connecting WDA's from a ERP server, isn't it a best practice?
  2) As it is already working (external access to the portal), for now I have just to create the iViews to the WDA's from ERP server?
  3) What would be the security risk when people access the external link to the Portal and the Portal redirected it to the ERP?
  I would greatly appreciate your help in only guide me.
  Thanks in advanced!

  Hello Alexandre,
  Please find the answers to your queries.
  Alexandre Mendes wrote:
  > 1) The portal server connecting WDA's from a ERP server, isn't it a best practice?
  Not at all, The composition Environment CE is intended for this purpose only.
  Alexandre Mendes wrote:
  > 2) As it is already working (external access to the portal), for now I have just to create the iViews to the WDA's from ERP server?
  First you need to create a system connection in portal to the ERP server.  Later you need to create the iViews
  Alexandre Mendes wrote:
  > 3) What would be the security risk when people access the external link to the Portal and the Portal redirected it to the ERP?
  As per my knowledge there is no security risk involved because while accessing the WDA application from ERP the request will be authenticated again.
  BR, Saravanan

• Transfer iphoto library to external harddrive. Best practice?

  Need to transfer iphoto library to external harddrive due to space issues. Best practice?

  Moving the iPhoto library is safe and simple - quit iPhoto and drag the iPhoto library intact as a single entity to the external drive - depress the option key and launch iPhoto using the "select library" option to point to the new location on the external drive - fully test it and then trash the old library on the internal drive (test one more time prior to emptying the trash)
  And be sure that the External drive is formatted Mac OS extended (journaled) (iPhoto does not work with drives with other formats) and that it is always available prior to launching iPhoto
  And backup soon and often - having your iPhoto library on an external drive is not a backup and if you are using Time Machine you need to check and be sure that TM is backing up your external drive
  LN

• SAP Business One 2007 - SQL Security best practice

  I have a client with a large user base running SAP Business One 2007. 
  We are concerned over the use of the sql sa user and the ability to change the password of this ID from the logon of SAP Business One.
  We therefore want to move to use Windows Authentication (ie Trusted Connection) from the SAP BO logon.  It appears however that this can only work by granting the window IDs (of the SAP users) sysadmin access in SQL.
  Does anyone have a better method of securing SAP Business One or is there a recommended best practice.  Any help would be appreciated.
  Damian

  See Administrators Guide for best practise.
  U can use SQL Authentication mode Don't tick Remember password.
  Also check this thread
  SQL Authentication Mode
  Edited by: Jeyakanthan A on Aug 28, 2009 3:57 PM

• SAP HANA Security - Best Practice for Access to Schemas??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  Hi,
  I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
  How does bpel know where to look for the xsd-files and how does the mapping still work?
  This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
  Thanks for any clue.
  Bette

• Users And Security Best Practice

  Dear Experts
  I am designing an application with almost fifty users scattered in different places. Each users should access tables according to his/her criteria. For example salessam, salesjug can see only the sales related tables. purchasedon should access only purchase related tables. i have the following problems
  Is it a best practice to create 50 users in the DB i.e. 50 Schemas are going to be created? Where are these users normally created?
  or is it better for me to maintain a table of users and their passwords in my design itself and i regulate through the front end. seems that this would be risky and a cumbersome process.
  Please advice
  thanks
  Manish Sawjiani

  You would normally create a single schema to own the
  objects and 50 users to use them. You would use roles
  and object privileges to control access.Well, this is the classic 'Oracle' approach to do this. I might say it depends a bit on what you want to achieve. Let's call this approach A.
  The other option was to have your own user/pwd table. You can create your own custom authentication but I would go for the built-in Application Express Users - authentication scheme. You can manage the users via the frontend (Application builder > manage Application Express Users) . There you can manage the groups and end users which you can leverage in your Apex app. You can even use the APIs to create the users programmatically. It is all done for you. Let's call this approach B.
  Some things to consider:
  1) You want to create a web application and also other applications that access the data stored in Oracle (another PHP / Oracle Forms / Perl ) or allow access via SQL/Plus. Then you should use approach A. This way you don't need to reimplement security for these different approaches.
  2) You want to create one (or multiple) Apex applications only. This will be the only mechanism the users will access your data. Then I would go for approach B.
  3) When using approach A some users didn't like that all users will have access to their workspace, including the sql command line and having the capability of building applications and possibly being able to change the data they have access to through the Oracle roles. Locking down this capability is possible but it takes some effort and requires an Apache as a proxy.
  4) When using approach A you will need DBA privileges to manage the users and assign the roles. This might not always be possible nor desired. Depends on who will manage the Oracle XE instance.
  5) Moving the application including the end users to another machine is a bit easier using approach B since they are exported via the application export mechanism. Using approach A you would have to do it yourself. Be aware that the passwords are lost when you install the users into a different Oracle XE instance.
  6) If you design the application using approach B you will have to design security in a way that doesn't rely on the Oracle roles / grants security mechanisms. This makes it easier to change the authentication scheme later. For example, later you want to use a LDAP directory, a different custom authentication scheme or even SSO (SSO is not available out of the box but feasible). This is directly possible.
  Using approach A you would have to recode the security mechanisms (which user is allowed to update/delete which data).
  Hope that clarifies your options a bit.
  ~Dietmar.
  Message was edited by:
  Dietmar Aust
  Corrected a typo in (5): Approach B instead of approach A , sorry.
  Message was edited by:
  Dietmar Aust

• Web application security best practice?

  Hi guys,
  I am developing web app using JSF + Spring + Hibernate. I got a user backing bean which handling user login and logout session. Hence if user sign-in successfully, I will just set userLogIn=true in the userBean.java. I really don;t know if this is the best practice for handling user login session. Any security probelm here? Please advice, Thanks !
  regards,
  kmthien

  hi
  you can also find a lot of info about security handling and JSF if you search the forum.
  thanks.

• Web Intelligence Security Best Practices

  Hi All,
  We are in the process of starting to use web intelligence. I am puttng together a security model for it and I have some questions around best practices. We have a fairly simple two tier security model so far, end users and creators. Creators will be able to create reports in certain folders and everyone else will be able to run and refresh those reports they can see.
  I was going to create a group for all the creators and assign them to a custom access level in the web intelligence application. Then they would also need to be in another creator group for the particular folder. So they would be able to the create reports in that folder and execute reports in another.
  For all the end users, they need to be able to view and refresh reports, drilling, data tracking, etc. if they have access to them. Is the best practice then to just assign the Everyone group the out of the box view on demand access level?
  I have been digging around looking for resources and welcome anyone's input or ideas on the subject.
  Thanks in advance for any assistance provided.

  Thank you for your prompt reply.
  But that means that the same security groups will need to be creaed on both palces, web intelligence application and at the folder level?
  I was thinking if I create a developer group for the web intelligence application level, all developers would go into there. Then at the folder level I could create another folder level security group for developers to access the folder.
  Would that not simplify the maintenance at the application level? Or would that not work?

• Looking for Security Best Practices documentation for Sybase ASE 15.x

  Hello, I'm looking for SAP/Sybase best practice documentation speaking to security configurations for Sybase ASE 15.x. Something similar to this:
  Sybase ASE 15 Best Practices: Query Processing & Optimization White Paper-Technical: Database Management - Syba…
  Thanks!

  Hi David,
  This is something I found on the Sybase site:
  Database Encryption Design Considerations and Best Practices for ASE 15
  http://www.sybase.com/files/White_Papers/ASE-Database-Encryption-3pSS-011209-wp.pdf
  ASE Encryption Best Pracites:
  http://www.sybase.com/files/Product_Overviews/ASE-Encryption-Best-Practices-11042008.pdf
  If these do not help, you can search for others at:
  www.sybase.com > serach box on the top right.
  I searched "best pracitces security"
  Can also run advanced search > I typed in "ssl" into exact phrase.
  Hope this helps,
  Ryan

• HANA Security - Best Practices for Schema??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  >So, if we follow this approach, who should be creating the schema as design time?
  Not sure what you mean by that.  We call this design time because you are creating an artifact in the repository and the catalog object doesn't get created until you activate that design time object.
  > Security Administrator or Developer/Modeler?
  Doesn't really matter. Depends upon your process. However I would say most of the time the developer creates the schema.  The developer doesn't immediately get access to the new schema.  He/She must create a role and that role has to be granted to them before they can see the objects in the new schema.
  >Also, for our current scenario, where developers are doing changes in their own schema, what should be done as a Security Administrator to assign access to a user schema to other developers?
  They shouldn't be creating objects in their user schema.  That user schema is for internal usage - like the creation of temporary objects. It shouldn't be used for any development.

• Portal Design - Best Practices for Role and Workset Tab Menu

  We are looking to identify and promote best practices in SAP Portal Design. 
  First, is there a maximum number of tabs which should exist on the highest level tab menu, commonly called the role menu?  Do a large number of tabs on this menu cause performance issues?  Are there any other issues associated with a large number of tabs on this menu?
  Second, can the workset tab menu be customized to be 2 lines of tabs?  Our goal is to prevent tab scrolling.
  Thanks

  Debra,
  Not aware of any performance issues with the number of tabs in the Level 1 or 2 menus, particularly if you have portal navigation caching enabled.
  From an end user perspective I guess "best practice" would be to avoid scrolling in the top level navigation areas completely if possible.
  You can do a number of things to avoid this, including:
  - Keep the role/folder/workset names as short as possible.
  - If necessary break the role down into multiple level 1 entry points to reduce the number of tabs in level 2.
  An example of the second point would be MSS.  Instead of creating a role with a single workset (i.e. level 1 tab), we usually split it into two folders called something like "My Staff" and My Finance" and define these folders as entry points.  We therefore end up with two tabs in level 1 for the MSS role, and consequently a smaller number of tabs in level 2.
  Hope that helps......
  Regards,
  John